OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	03/17/2025 09:32:20 AM	rwxr-xr-x
📄 __init__.py	114 bytes	02/07/2019 09:20:31 PM	rw-r--r--
📁 __pycache__	-	05/25/2021 01:14:27 PM	rwxr-xr-x
📄 account.py	13.98 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 achallenges.py	1.59 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 auth_handler.py	20.92 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 cert_manager.py	15.1 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 cli.py	71.49 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 client.py	28.72 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 compat.py	6.91 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 configuration.py	5.66 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 constants.py	6.54 KB	12/18/2020 08:47:58 PM	rw-r--r--
📄 crypto_util.py	15.29 KB	02/07/2019 09:20:29 PM	rw-r--r--
📁 display	-	05/25/2021 01:14:26 PM	rwxr-xr-x
📄 eff.py	3.07 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 error_handler.py	5.81 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 errors.py	2.59 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 hooks.py	8.44 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 interfaces.py	22.02 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 lock.py	3.56 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 log.py	12.39 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 main.py	48.47 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 notify.py	1.04 KB	02/07/2019 09:20:29 PM	rw-r--r--
📄 ocsp.py	4.1 KB	02/07/2019 09:20:29 PM	rw-r--r--
📁 plugins	-	05/25/2021 01:14:26 PM	rwxr-xr-x
📄 renewal.py	20.91 KB	12/18/2020 08:47:58 PM	rw-r--r--
📄 reporter.py	3.46 KB	02/07/2019 09:20:30 PM	rw-r--r--
📄 reverter.py	23.32 KB	02/07/2019 09:20:30 PM	rw-r--r--
📄 ssl-dhparams.pem	424 bytes	02/07/2019 09:20:30 PM	rw-r--r--
📄 storage.py	44.91 KB	02/07/2019 09:20:30 PM	rw-r--r--
📁 tests	-	05/25/2021 01:14:27 PM	rwxr-xr-x
📄 updater.py	3.86 KB	02/07/2019 09:20:30 PM	rw-r--r--
📄 util.py	20.35 KB	02/07/2019 09:20:30 PM	rw-r--r--

Editing: ocsp.py

"""Tools for checking certificate revocation."""
import logging
import re

from subprocess import Popen, PIPE

from certbot import errors
from certbot import util

logger = logging.getLogger(__name__)

class RevocationChecker(object):
    "This class figures out OCSP checking on this system, and performs it."

def __init__(self):
        self.broken = False

if not util.exe_exists("openssl"):
            logger.info("openssl not installed, can't check revocation")
            self.broken = True
            return

# New versions of openssl want -header var=val, old ones want -header var val
        test_host_format = Popen(["openssl", "ocsp", "-header", "var", "val"],
                                 stdout=PIPE, stderr=PIPE, universal_newlines=True)
        _out, err = test_host_format.communicate()
        if "Missing =" in err:
            self.host_args = lambda host: ["Host=" + host]
        else:
            self.host_args = lambda host: ["Host", host]

def ocsp_revoked(self, cert_path, chain_path):
        """Get revoked status for a particular cert version.

.. todo:: Make this a non-blocking call

:param str cert_path: Path to certificate
        :param str chain_path: Path to intermediate cert
        :rtype bool or None:
        :returns: True if revoked; False if valid or the check failed

"""
        if self.broken:
            return False

url, host = self.determine_ocsp_server(cert_path)
        if not host:
            return False
        # jdkasten thanks "Bulletproof SSL and TLS - Ivan Ristic" for documenting this!
        cmd = ["openssl", "ocsp",
               "-no_nonce",
               "-issuer", chain_path,
               "-cert", cert_path,
               "-url", url,
               "-CAfile", chain_path,
               "-verify_other", chain_path,
               "-trust_other",
               "-header"] + self.host_args(host)
        logger.debug("Querying OCSP for %s", cert_path)
        logger.debug(" ".join(cmd))
        try:
            output, err = util.run_script(cmd, log=logger.debug)
        except errors.SubprocessError:
            logger.info("OCSP check failed for %s (are we offline?)", cert_path)
            return False

return _translate_ocsp_query(cert_path, output, err)

def determine_ocsp_server(self, cert_path):
        """Extract the OCSP server host from a certificate.

:param str cert_path: Path to the cert we're checking OCSP for
        :rtype tuple:
        :returns: (OCSP server URL or None, OCSP server host or None)

"""
        try:
            url, _err = util.run_script(
                ["openssl", "x509", "-in", cert_path, "-noout", "-ocsp_uri"],
                log=logger.debug)
        except errors.SubprocessError:
            logger.info("Cannot extract OCSP URI from %s", cert_path)
            return None, None

url = url.rstrip()
        host = url.partition("://")[2].rstrip("/")
        if host:
            return url, host
        else:
            logger.info("Cannot process OCSP host from URL (%s) in cert at %s", url, cert_path)
            return None, None

def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors):
    """Parse openssl's weird output to work out what it means."""

states = ("good", "revoked", "unknown")
    patterns = [r"{0}: (WARNING.*)?{1}".format(cert_path, s) for s in states]
    good, revoked, unknown = (re.search(p, ocsp_output, flags=re.DOTALL) for p in patterns)

warning = good.group(1) if good else None

if (not "Response verify OK" in ocsp_errors) or (good and warning) or unknown:
        logger.info("Revocation status for %s is unknown", cert_path)
        logger.debug("Uncertain output:\n%s\nstderr:\n%s", ocsp_output, ocsp_errors)
        return False
    elif good and not warning:
        return False
    elif revoked:
        warning = revoked.group(1)
        if warning:
            logger.info("OCSP revocation warning: %s", warning)
        return True
    else:
        logger.warning("Unable to properly parse OCSP output: %s\nstderr:%s",
                    ocsp_output, ocsp_errors)
        return False